CV0-004 · topic practice

Security practice questions

Practise CompTIA Cloud+ CV0-004 Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security

What the exam tests

What to know about Security

Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Review the full subnetting walkthrough →

A cloud administrator is troubleshooting an issue where a user in the finance department cannot access a critical application hosted on a private cloud. The user can access other applications in the same subnet. The security team recently implemented a new network security policy. Which of the following is MOST likely causing the issue?

Question 2easymultiple choice
Read the full Security explanation →

An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?

Question 3hardmultiple choice
Read the full Security explanation →

A company is migrating a legacy application to a public cloud. The application requires a static IP address for licensing. The security team insists on encrypting all traffic between the application and the database. Which of the following should the cloud architect implement?

Question 4easymultiple choice
Read the full Security explanation →

A cloud administrator is tasked with ensuring that only encrypted connections are used to transfer files to a cloud storage bucket. Which of the following should the administrator enforce?

Question 5mediummulti select
Read the full Security explanation →

A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?

Question 6hardmulti select
Read the full Security explanation →

A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?

Question 7hardmultiple choice
Read the full Security explanation →

A company experiences a data breach where an attacker exfiltrated data from a cloud storage bucket. The security team discovers that the bucket had a policy allowing public access. The cloud administrator had previously set the bucket to be private. Which of the following is the MOST likely reason the bucket became public?

Question 8mediummultiple choice
Read the full Security explanation →

A cloud administrator is configuring a web application hosted on a public cloud VM. The application must be accessible over HTTPS, and the administrator needs to ensure that all traffic between the client and the server is encrypted. The cloud provider offers a managed certificate service. Which of the following is the BEST practice for securing the application?

Question 9hardmultiple choice
Read the full Security explanation →

A cloud administrator is troubleshooting connectivity to a web server running on a Linux VM. The web server is configured to listen on ports 80 (HTTP) and 443 (HTTPS). The administrator runs the iptables command shown in the exhibit. Based on the output, what is the MOST likely reason that external users cannot access the web server on port 443?

Exhibit

Refer to the exhibit.

# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
 100  12000 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  50   6000 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  20   2400 ACCEPT     tcp  --  eth0   *       10.0.0.0/8           0.0.0.0/0            tcp dpt:443
  10   1200 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
Question 10easymultiple choice
Read the full Security explanation →

A cloud engineer is responsible for securing a multi-tier application deployed on IaaS. The application consists of web servers, application servers, and database servers. The engineer needs to implement network segmentation to minimize the attack surface. Which of the following is the BEST approach?

Question 11easymultiple choice
Read the full Security explanation →

A company is migrating its on-premises workload to a public cloud. The security team wants to ensure that all data transmitted between the on-premises network and the cloud VPC is encrypted in transit and that the connection uses dedicated bandwidth. Which of the following should the security team implement?

Question 12mediummulti select
Read the full Security explanation →

A cloud administrator notices that an IAM user has permissions that are not explicitly assigned. The administrator suspects that the user is inheriting permissions through group membership or role assignment. Which TWO methods can the administrator use to identify all effective permissions for this user? (Choose TWO.)

Question 13hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A cloud security engineer is reviewing an S3 bucket policy that controls access to the 'example-bucket' bucket. The 'AdminRole' IAM role attempts to upload an object to the bucket using the AWS CLI without specifying the '--server-side-encryption' parameter. The object transfer uses HTTPS. What will be the outcome?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 14mediumdrag order
Read the full Security explanation →

Sequence the steps to troubleshoot a cloud-based application that is not accessible from the internet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediumdrag order
Read the full Security explanation →

Sequence the steps to configure a cloud monitoring alert for high memory usage on a virtual machine.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each storage type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data stored as objects with metadata

Data divided into blocks; used in SAN

Data stored in a hierarchical file system

Temporary storage tied to instance lifecycle

Match each troubleshooting command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Test network connectivity

Trace path to destination

Query DNS records

Display network connections and ports

Transfer data using various protocols

Question 18mediummultiple choice
Read the full Security explanation →

A cloud administrator is configuring a new virtual private cloud (VPC) and needs to ensure that traffic between web servers and database servers is restricted to only the necessary ports. Which security approach should the administrator implement?

Question 19hardmultiple choice
Read the full Security explanation →

A company has deployed a multi-tier application on a public cloud platform. The security team discovers that a Compute Instance is communicating with an external IP address known for malicious activity. The instance is part of an auto scaling group. What is the BEST immediate action to contain the threat while minimizing downtime?

Question 20easymultiple choice
Read the full Security explanation →

A cloud architect is designing a solution to ensure that data at rest in an object storage bucket is encrypted. The company requires that the encryption keys are managed by an on-premises hardware security module (HSM) to maintain control. Which encryption approach should the architect choose?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security sessions

Start a Security only practice session

Every question in these sessions is drawn from the Security domain — nothing else.

Related practice questions

Related CV0-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CV0-004 exam test about Security?
Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CV0-004 topics?
Use the topic links above to move to related areas, or go back to the CV0-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CV0-004 exam covers. They are not copied from any real exam or dump site.